E sign

SteveR · ‎06-15-2023

Trying to upgrade my phone , past credit check received air time contract then hit the three brick wall called the technical department who have a problem sending what the call the e sign contract, untill you get this and sign it you will not get your phone, been told to wait up to 72 hrs for this to arrive which is a joke when in this day of technology you expect to receive an email within a couple of minutes, then they go on to tell you that if you fail to sign this document within the 72hrs they will with draw your order and you will have to start the process, all over again, how can you sign something when THREE CANNOT provide you with the necessary document all because the baffons they call TECHNICAL caint sort the gremlin out that is preventing this.
How do THREE expect there customers to upgrade or purchase phones with a BROKEN SYSTEM, Three needs a kick up the back side and get there house in order, if you are going to upgrade your back room system I suggest you test test test and test again before you go live with it instead of giving us YOUR CUSTOMER the people that enable YOU to earn a living a headache when trying to upgrade/buy new products

Lmm72 · ‎06-16-2023

I’ve got the same problem. Been waiting three days, Been on chat & rung them. Still no further forward. I can’t get on the website either.

CatMind · ‎06-18-2023

I’ve been waiting for four days now. Same story - tech support’s “best” solution was to ask me provide a different email address (bearing in mind, I have no problem receiving any minutiae communication from Three to my existing email). They cannot cancel the stuck order either. When it’s finally cancelled (whenever that might be), I am leaving this network as soon as I can.

bnewton · ‎09-05-2023

Same exact problem here. It turns out that this is because three's technical support team is incompetent.

Let me dissect this issue for you...

Firstly, three send customers emails from multiple domains, which, is bad practice. In today's age, ideally, customers should be familiar with one or two solidly recognisable email addresses which they can easily identify as authentic. Once you introduce multiple subdomains and multiple emails, you muddy the situation and introduce security risks and vulnerabilities for your customers.

So, let's look at the email addresses which three use during the order checkout process:

@mails.three.co.uk
@servicemails.three.co.uk
@service.mails.three.co.uk
@notifications.three.co.uk

This is where it get's interesting. The first three emails work fine, they are set up correctly, they are secure, they have the appropriate authorisation and security protocols in place. Those emails are the accounts which send the 'order confirmation' and 'customer agreement form'. The reason you receive those emails but not the eSign one, is because those emails are sent from an email address that is properly configured on the server.

Unfortunately, problems arise when we investigate notifications.three.co.uk (which, it appears is the email address used to send the eSign form/link).

It turns out that notifications.three.co.uk domain DOES NOT have a DKIM or SPF record set up. This is awful news for three's customers, and introduces all kinds of vulnerabilities and security risks. Firstly, not having these records appropriately set-up, means that hackers can hijack, intercept or spoof emails to make them look like they were sent by three, when in fact they were not. The reason the eSign document is never received by customers, is because, it is sent from such a vulnerable email. Most email servers will rightfully reject this email without even putting it in the user's spam folder, it will simply be outright rejected and disappear into non-existence. This is because the recipient email server is unable to authenticate the authenticity of the sender.

I've tried to raise this issue multiple times, but, so far it's fallen on deaf ears. Nobody in their overseas call centre cares, nor do they understand English well enough to grasp how serious of a situation this is, and how urgently it should be addressed. This is a security risk.

bnewton · ‎09-05-2023

The error logs are as follows, this suggests that three.co.uk need to hire better technical staff 🙂

2023-09-05 11:52:04 H=cluster-j.mailcontrol.com [85.115.54.190]:60486 sender verify fail for <noreply@notification.three.co.uk>: cust7051-s.out.mailcontrol.com [85.115.60.190] : SMTP error from remote mail server after RCPT TO:<noreply@notification.three.co.uk>: 550 5.7.1 <noreply@notification.three.co.uk>... Relaying denied
2023-09-05 11:52:04 H=cluster-j.mailcontrol.com [85.115.54.190]:60486 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<noreply@notification.three.co.uk> rejected RCPT <EMAIL REDACTED>: Sender verify failed

bnewton · ‎09-06-2023

@JohnD maybe you can pass this up the chain of command and get the information to where it needs to be, so somebody technical can fix it.